diff options
| -rw-r--r-- | README.md | 8 | ||||
| -rw-r--r-- | example-client.conf (renamed from example-client.cfg) | 0 | ||||
| -rw-r--r-- | example-server.conf | 24 | ||||
| -rw-r--r-- | example-server.json | 24 |
4 files changed, 28 insertions, 28 deletions
@@ -37,8 +37,8 @@ The user can now ssh to the production machine, and continue to ssh to any machi # Usage Cashier comes in two parts, a [cli](cmd/cashier) and a [server](cmd/cashierd). -The client is configured using either a [HCL](https://github.com/hashicorp/hcl) configuration file - [example](example-client.cfg) - or command-line flags. -The server is configured using a JSON configuration file - [example](example-server.json). +The client is configured using either a [HCL](https://github.com/hashicorp/hcl) configuration file - [example](example-client.conf) - or command-line flags. +The server is configured using a HCL configuration file - [example](example-server.conf). For the server you need the following: - A new ssh private key. Generate one in the usual way using `ssh-keygen -f ssh_ca` - this is your CA signing key. At this time Cashier supports RSA, ECDSA and Ed25519 keys. *Important* This key should be kept safe - *ANY* ssh key signed with this key will be able to access your machines. @@ -50,11 +50,11 @@ For the server you need the following: ``` go get github.com/cashier/cmd/... ``` -2. Create a signing key with `ssh-keygen` and a [config.json](example-server.json) +2. Create a signing key with `ssh-keygen` and a [cashierd.conf](example-server.conf) 3. Run the cashier server with `cashierd` and the cli with `cashier`. ## Using docker -1. Create a signing key with `ssh-keygen` and a [config.json](example-server.json) +1. Create a signing key with `ssh-keygen` and a [cashierd.conf](example-server.conf) 2. Run ``` docker run -it --rm -p 10000:10000 --name cashier -v $(pwd):/cashier nsheridan/cashier diff --git a/example-client.cfg b/example-client.conf index b9e8232..b9e8232 100644 --- a/example-client.cfg +++ b/example-client.conf diff --git a/example-server.conf b/example-server.conf new file mode 100644 index 0000000..94c6b69 --- /dev/null +++ b/example-server.conf @@ -0,0 +1,24 @@ +server { + use_tls = true # Optional. If this is set then `tls_key` and `tls_cert` must be set + tls_key = "server.key" # Path to TLS key + tls_cert = "server.crt" # Path to TLS certificate + port = 443 # Port to listen on + cookie_secret = "supersecret" # Authentication key for the client cookie +} + +auth { + provider = "google" # Oauth provider to use + oauth_client_id = "nnnnnnnnnnnnnnnn.apps.googleusercontent.com" # Oauth client ID + oauth_client_secret = "yyyyyyyyyyyyyyyyyyyyyy" # Oauth client secret + oauth_callback_url = "https://sshca.example.com/auth/callback" # Oauth callback url + provider_opts { + domain = "example.com" # Oauth-provider specific options + } +} + +ssh { + signing_key = "signing_key" # Path to the CA signing secret key + additional_principals = ["ec2-user", "ubuntu"] # Additional principals to allow + max_age = "720h" # Maximum lifetime of a ssh certificate + permissions = ["permit-pty", "permit-X11-forwarding", "permit-agent-forwarding", "permit-port-forwarding", "permit-user-rc"] # Permissions associated with a certificate. +} diff --git a/example-server.json b/example-server.json deleted file mode 100644 index 1ac84f2..0000000 --- a/example-server.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "server": { - "use_tls": true, - "tls_key": "server.key", - "tls_cert": "server.crt", - "port": 443, - "cookie_secret": "supersecret" - }, - "auth": { - "provider": "google", - "oauth_client_id": "nnnnnnnnnnnnnnnn.apps.googleusercontent.com", - "oauth_client_secret": "yyyyyyyyyyyyyyyyyyyyyy", - "oauth_callback_url": "https://sshca.example.com/auth/callback", - "provider_opts": { - "domain": "example.com" - } - }, - "ssh": { - "signing_key": "signing_key", - "additional_principals": ["ec2-user", "ubuntu"], - "max_age": "720h", - "permissions": ["permit-pty", "permit-X11-forwarding", "permit-agent-forwarding", "permit-port-forwarding", "permit-user-rc"] - } -} |